This article is comparing the search results of Google Hacking filter “intitle”, which searches only sites containing specific keywords in the title, and the “title” filter provided by CIP.

What is Google Hacking?

Google Hacking is a service that uses Google Search and Google’s applications to find security vulnerabilities in the construction and computer code of a website. The information that can be collected with Google Hacking can be surprisingly diverse. We can narrow down the results using filters such as filetype, site, inurl, and intitle using quotation marks.

Compared to Google, which collects data based on the web, Criminal IP (https://www.criminalip.io/) collects data based on IP and port information. However, if the collected information comes from a web port, results previously invisible in the Google search engine can be found using Criminal IP. In particular, using Google’s intitle: filter shows results for content from a website’s <title> tag, which has very similar functions to Criminal IP’s title: filter. Let’s look at some of Google Hacking’s search tips and compare to Criminal IP’s features.

Searching for vulnerable directory listings using dead.letter

intitle:index.of “dead.letter”

Google search result for intitle:index.of "dead.letter".

Google search result for intitle:index.of “dead.letter”.

The dead.letter file is an error log generated when a specific error occurs in a Linux/Unix environment. ‘index.of’ is a string that can be viewed when visiting a website with directory listing vulnerabilities, with the search results yielding server addresses with full server accessibility.

서버 파일에 접근 가능한 취약한 서버주소를 확인할 수 있는 index.of 파일. 디렉토리 리스팅 취약점이 있는 웹사이트를 방문하면 볼 수 있는 문자열이다.

An index.of file with vulnerable server addresses with full server accessibility. This particular string is visible and can be used to identify websites with directory listing vulnerability.

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
  <title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>

Criminal IP can yield the same results as shown with the title: filter. Use the query shown below to access Criminal IP’s Asset Search results.

“dead.letter” title:index.of

Criminal IP search result for "dead.letter" itle:index of.

Criminal IP search result for “dead.letter” itle:index of.

Criminal IP’s search results also show unique data that users cannot access on Google. In addition, Criminal IP identifies the crawled data by country, presence/absence of CVE vulnerabilities and types of web servers involves (such as apache).

Finding Remote Desktop Servers in Web format

intitle:”Remote Services Web Connection”

Google search result using intitle:"Remote Desktop Web Connection" inurl:tsweb.

Google search result using intitle:”Remote Desktop Web Connection” inurl:tsweb.

MS also provides web versions of RDP servers. In other words, this Google Hacking query can serve as a case example for finding an externally exposed RDP server.

웹 형태로 제공하는 MS RDP 서버. 구글 검색결과에 노출되고 있다

MS RDP server in web format, exposed on Google Hacking search results.

Users can access identical queries by using Criminal IP’s title: filter.

title:”Remote Services Web Connection”

Criminal IP Image Search results for title:"Remote Desktop Web Connection"

Criminal IP Image Search results for title:”Remote Desktop Web Connection”

It should also be noted that Criminal IP’s Image Search provides RDP screenshots for user convenience.

Criminal IP Image Search 에서 검색된 RDP 스크린샷 결과

Criminal IP Image Search results for RDP screenshot

Finding Apache Test Pages in its Default state

intitle:”Test Page for Apache

Google Search results for intitle:"Test Page for Apache"

Google Search results for intitle:”Test Page for Apache”

The screenshot below shows the default welcome page that pops up immediately after installing Apache server. This is a famous example of a vulnerability that can be found using Google Hacking.

구글 해킹 intitle:"Test Page for Apache" 검색결과에 노출된 아파치 서버 시작 페이지

An exposed Apache Default Welcome page shown on Google Hacking search results for intitle:”Test Page for Apache”

Use the following query to yield the same search results using Criminal IP:

title:”Test Page for Apache installation” 

Criminal IP Asset Search 에서 title:"Test Page for Apache installation" 를 검색한 결과

Criminal IP Asset Search results for title:”Test Page for Apache installation”

It is very evident that Criminal IP’s results tab shows far more data than what users can find using Google Hacking. This can be attributed to IT system set-ups, where systems installed in a default state often lack a domain to be attributed to. Thus, when compared to Google, a system that crawls domains centrally, Criminal IP’s method of IP collections can yield a more comprehensive results especially for default welcome pages.

We have previously covered the dangers of default welcome pages on our article, Default welcome page exposure: A Significant Security Risk.

Lastly, we would like to note that Google Hacking has far more filters than the intitle: filter we covered today. Search result data can vary wildly between the applications used, with Criminal IP yielding more result volume at times and vice versa. Furthermore, Google Hacking has been a big player in the field of threat information collection to the point of publishing a book of the same name. Overall, using both services, especially Criminal IP’s comprehensive search results can aid users in collecting a more comprehensive threat intelligence.


Source: Criminal IP (https://www.criminalip.io)

Related Article(s):